[dns-wg] Re: [dnssec-deployment] Ny nyckelsigneringsnyckel (KSK) för .SE - New key signing key (KSK) for .SE

Patrik Wallstrom wrote:
> On Thu, 03 Jan 2008, Holger Zuleger wrote:
> 
>>> New key signing key (KSK) for .SE 
>>> As from today, 2008-01-03 .SE publish and take into use a new KSK for
>>> signing the .SE zone file. The key published with start 2006 with key
>>> id = 17686 is unvalid since 2008-01-01 and will be removed
>>> 2008-02-01. You should have configured the key published with start
>> Would it be possible to set the REVOKE Bit on that key, and announce it for 
>> another 30 days?
> 
> There was no time to fix this for this rollover. Next time.
Oh, sure, it's clear that no one want's to add a new functionality on a 
productive service without testing, even if it is just to set one bit.
But I thought that it was a good time to bring rfc5011 in mind...

>> Doing so enables a rfc5011 aware validator to discard the key automatically 
>> from the list of possible trust anchor.
> 
> Which resolvers honors the revocation bit? To my knowledge, no swedish
> resolver operators are using such software yet.
I think you are right. I guess that actually no one use it.
Small question to all the dnssec operators: Please raise your hand if 
I'm wrong. ;-)
And to the bind guys: Honors bind, used as an dnssec validator, the 
revoke bit?

Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4870 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20080104/3d7f2624/attachment.bin>